Authenticated Command Injection Vulnerability in Multiple Cisco Content Network and Video Delivery Products
Multiple Cisco content network and video delivery products contain a vulnerability when they are configured to run in central management mode. This vulnerability could allow an authenticated but unprivileged, remote attacker to execute arbitrary code on the affected system and on the devices managed by the affected system.

Vulnerable ProductsThe following products running a vulnerable version of code are affected by this vulnerability:

Cisco Wide Area Application Services (WAAS)
Cisco WAAS Software configured as Central Manager (CM) and running on the following platforms:

Cisco WAAS Appliances

Cisco Virtual WAAS (vWAAS)

Cisco WAAS Modules

Cisco Application and Content Networking System (ACNS)
Cisco ACNS Software configured as Content Distribution Manager (CDM) and running on the following platforms:

Cisco Wide Application Engine (WAE)

Cisco ACNS Network Modules

Cisco Enterprise Content Delivery System (ECDS)
Cisco ECDS Software configured as Content Delivery System Manager (CDSM) and running on the following platforms:

Cisco VideoScape Delivery System Origin Server (VDS-OS)
Cisco VOS Software and configured as Virtual Origin System Manager (VOSM) and running on the following platform:

Cisco Unified Computing System (UCS)

DetailsA vulnerability in the web framework could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of the affected system as well as on underlying operating system of the devices associated and managed by the affected system.

The vulnerability is due to a failure to properly sanitize user input that is subsequently used to perform an action using the underlying command-line interface of the device. An authenticated but unprivileged attacker could exploit this vulnerability by logging in to the GUI of the affected system and appending arbitrary code to some of values passed to the system.

ImpactSuccessful exploitation of the vulnerability may cause an authenticated but unprivileged, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the affected system itself.

Vulnerable ProductsThe following products running a vulnerable version of Cisco WAAS Software and configured as Central Manager (CM) are affected by this vulnerability:

Cisco WAAS Appliances

Cisco Virtual WAAS (vWAAS)

Cisco WAAS Modules

Note: Only Cisco WAAS products configured as Central Manager are affected by this vulnerability.

Details
A vulnerability in the web service framework code of Cisco WAAS, when configured as Central Manager (CM) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted POST request to the affected system. An exploit could allow the attacker to execute arbitrary code on the affected system. Due to the privileged function of the WAAS CM in the Cisco WAAS network, exploitation of this vulnerability could allow the attacker to gain administrative access to all the devices that have been associated to the vulnerable WAAS CM.

ImpactSuccessful exploitation of the vulnerability may cause an unauthenticated, remote attacker to execute arbitrary command and completely compromise the affected system.

Due to the privileged function of the Cisco WAAS CM in the Cisco WAAS network, exploitation of this vulnerability could allow the attacker to gain administrative access to all the devices that are associated to the vulnerable and compromised CM.

Multiple Vulnerabilities in the Cisco Video Surveillance Manager
Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system.

Vulnerable ProductsCisco VSM versions prior to 7.0.0 are affected by the vulnerabilities disclosed in this advisory.

Details

Information Disclosure Through Directory Traversal: Cisco VSM does not properly validate user input to a number of pages, which may be used to gain access to sensitive system files. An unauthenticated, remote attacker may use a crafted URL to access sensitive system files.

Insufficient Authentication to Sensitive Information: Cisco VSM does not require authentication to access potentially sensitive information such as configuration, monitoring pages archives, and system logs. An unauthenticated, remote attacker may exploit these vulnerabilities to create, modify and remove camera feeds, archives, logs and users.

Impact
Successful exploitation of the vulnerabilities may allow an unauthenticated, remote attacker to gain administrative control of Cisco VSM. This access could allow an attacker to create, modify and remove camera feeds, archives, logs and users on the VSM.

Note: The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability affects only the Cisco ASA 5500-X Series IPS SSP software module; Cisco IPS SSP hardware modules for the Cisco ASA 5585-X are not affected by this vulnerability.

Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
The following product is affected by the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability:

Cisco Intrusion Prevention System Network Module Enhanced (IPS NME)

Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability

The following product is affected by the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability:
Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module

Details
Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability: A vulnerability in the IP stack could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not work properly. The vulnerability is due to improper handling of malformed IP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability. If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing such as shun or rate-limit may be unavailable. If the Cisco IPS is configured in inline mode, the sensor may not correctly perform inspection and mitigation actions because the Analysis Engine process may not be working properly.

Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability: A vulnerability in the implementation of the code that processes fragmented traffic could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive or cause the affected system to reload. The vulnerability is due to improper handling of fragmented IP packets sent from the Cisco ASA data plane to the Cisco IPS processor for inspection and processing. An attacker could exploit this vulnerability by sending a combination of fragmented and other IP packets through the affected system. An exploit could allow the attacker to cause a reload of the affected system or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.

The vulnerability can be triggered by IPv4 and IPv6 fragmented packets passing through the affected system. Traffic directed to the management IP address of the Cisco IPS software module will not trigger this vulnerability.

Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability: A vulnerability in the memory allocation code could allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerability is due to improper handling of memory allocation when malformed IP packets are received on the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management IP address.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.

Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability: A vulnerability in the IDSM-2 drivers could allow an unauthenticated, remote attacker to cause the system kernel to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks, including alert notification, event store management, sensor authentication, and traffic inspection. The Cisco IPS web server will also be unavailable.

The vulnerability is due to improper handling of malformed TCP packets from the management interface of the affected system. An attacker may exploit this vulnerability by sending malformed IP packets to the management interface. A TCP three-way handshake is not required to exploit this vulnerability. A hard system reboot is needed to restore the functionality of the system.

The vulnerability can be triggered only by IPv4 traffic directed to the management interface. Traffic passing through the sensing interfaces will not trigger this vulnerability.

ImpactSuccessful exploitation of the Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause the MainApp process to become unresponsive and prevent it from executing several tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive, and other processes such as the Analysis Engine process may not work properly.

If the Cisco IPS is configured in promiscuous mode, mitigation actions that require MainApp processing, such as shun or rate-limit, may be unavailable. If the Cisco IPS is configured in inline mode, there may be the possibility that the sensor will not be able to correctly perform inspection and mitigation actions because the Analysis Engine process may not be working properly. A hard system reload is required to restore the full functionality of the affected system.

Successful exploitation of the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause a reload of the affected system, or cause the Analysis Engine process to become unresponsive. When the Analysis Engine process is unresponsive, the affected system will not process traffic, which will cause that traffic to be dropped. Additionally, if the Cisco ASA with a Cisco IPS SSP software module running an affected version of software is configured in HA mode, a fail-over event may be triggered when the Cisco IPS SSP reloads or stops forwarding traffic.

Successful exploitation of the Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause a reload of a Cisco IPS NME.

Successful exploitation of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to cause the kernel of the Cisco IDSM-2 Module to become unresponsive, which will create general system instability. This will prevent the affected system from executing several tasks, including alert notification, event store management, sensor authentication, and traffic inspection and mitigation. The Cisco IPS web server will also be unavailable and the system will be unreachable for remote management.

Multiple Vulnerabilities in Cisco Unified Communications Manager
Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM.

Vulnerable ProductsThe following products are affected by the vulnerabilities that are described in this advisory:

Cisco Unified Communications Manager 7.1(x)

Cisco Unified Communications Manager 8.5(x)

Cisco Unified Communications Manager 8.6(x)

Cisco Unified Communications Manager 9.0(x)

Cisco Unified Communications Manager 9.1(x)

Details
Blind Structured Query Language Injection Vulnerabilities
SQL injection vulnerabilities are due to a failure to perform proper validation of user-supplied requests prior to being used to form an SQL query. An attacker could exploit this behavior by injecting SQL commands. An exploit could allow the attacker to disclose or modify arbitrary information in the database.

Hard-Coded Encryption Key
An attacker could exploit this issue by using the secret key to decrypt sensitive data including user credentials. An exploit could allow the attacker to decrypt sensitive system information such as user credentials gained when using other attacks.

Command Injection Vulnerability
The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by submitting malicious input to the affected function.

Privilege Escalation Vulnerability
The vulnerabilities are due to improper file permissions, environment variables and relative paths in a privileged system script or binary. An attacker could exploit these vulnerabilities by modifying certain system scripts. This could allow the attacker to gain complete control of the affected system.

ImpactSuccessful exploitation of the blind SQL injection vulnerabilities could allow a remote attacker to reconstruct encrypted credentials and insert rows in the Cisco Unified CM database. The initial blind SQL injection allows an unauthenticated, remote attacker to use the hard-coded encryption key to obtain and decrypt a local user account. This allows for a subsequent, authenticated blind SQL injection.

Successful exploitation of the command injection and privilege escalation vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.